-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathoidc_nginx_http.conf
132 lines (113 loc) · 6.77 KB
/
oidc_nginx_http.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# -----------------------------------------------------------------------------#
# #
# NGINX Configuration for OpenID Connect #
# (within http block) | #
# | #
# http { | #
# : | #
# +-----------------------------------+ | #
# | include "oidc_nginx_http.conf"; | <--+ #
# +-----------------------------------+ #
# : #
# server { #
# : #
# } #
# : #
# } #
# #
# - This file is to configure NGINX related info to handle OIDC workflow. #
# - Each map block allows multi values so that multiple IdPs can be supported. #
# - The $host variable is used as default input parameter but can be changed. #
# #
# ---------------------------------------------------------------------------- #
variables_hash_max_size 8192;
map_hash_max_size 128;
map_hash_bucket_size 128;
map $proto $oidc_cookie_flags {
http "Path=/; SameSite=lax;"; # For HTTP/plaintext test
https "Path=/; SameSite=lax; HttpOnly; Secure;"; # Production recommendation
}
map $http_x_forwarded_port $redirect_base {
"" $proto://$host:$server_port;
default $proto://$host:$http_x_forwarded_port;
}
map $http_x_forwarded_proto $proto {
"" $scheme;
default $http_x_forwarded_proto;
}
map $oidc_app_identifier $post_logout_return_uri {
# The following examples can be replaced with a custom logout page, or
# complete URL to be redirected after successful logout from the IdP.
# Example 1: Redirect to the original page.
default $redirect_base;
# Example 2: Redirect to a custom logout page
# default https://www.google.com;
}
map $oidc_app_identifier $return_token_to_client_on_login {
# This is to return token as a query param to the app after successful login.
# +------------+-----------------------------------------------------------+
# | options | example |
# +------------+-----------------------------------------------------------+
# | id_token | http://my-nginx.example.com/login?id_token=sdfsdfdsfs |
# | none or "" | http://my-nginx.example.com (no query param) |
# +------------+-----------------------------------------------------------+
default "";
}
map $oidc_app_identifier $session_validation_enable {
default 0; # 0: disable when testing APIs w/ session cookie on any client
}
map $oidc_app_identifier $session_id_time_enable {
default 0; # 1: timestamp(hh:mm) is included in session ID
}
map $oidc_app_identifier $client_id_validation_enable {
default 0; # 1: check if `client_id` is included in cookie when login
}
map $cookie_client_id $x_client_id {
default $cookie_client_id;
}
map $oidc_app_identifier $access_token_validation_enable {
#
# Auth0:
# - An access token is meant for an API and should be validated only by the
# API for which it was intended. If you receive an access token from an
# IdP, in general, you don't need to validate it. You can pass it to the
# issuing IdP and the IdP takes care of the rest.
# - audience needs to be added in query param for authZ endpoint request if
# you want to have claims in the access token.
# https://auth0.com/docs/secure/tokens/access-tokens/validate-access-tokens
#
# Okta: TODO when this is enabled.
# - option-1) local validation: minimum claims are validated as for now.
# - option-2) validate a token directly with Okta (introspection)
# https://developer.okta.com/docs/guides/validate-access-tokens/dotnet/main/
#
default 0;
}
# ADVANCED CONFIGURATION BELOW THIS LINE
# Additional advanced configuration (server context) in oidc_nginx_server.conf
# JWK Set will be fetched from $oidc_jwks_uri and cached here - ensure writable by nginx user
proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m;
# Key/Value store for ID token, access token and refresh token.
# Change timeout values to at least the validity period of each token type
keyval_zone zone=oidc_id_tokens:1M state=/var/lib/nginx/state/oidc_id_tokens.json timeout=1h;
keyval_zone zone=oidc_access_tokens:1M state=/var/lib/nginx/state/oidc_access_tokens.json timeout=1h;
keyval_zone zone=oidc_refresh_tokens:1M state=/var/lib/nginx/state/oidc_refresh_tokens.json timeout=8h;
# Temporary storages.
keyval_zone zone=oidc_pkce:128K timeout=90s; # for PKCE code verifier
keyval_zone zone=oidc_nonce_hash:128K timeout=90s; # for NONCE
keyval_zone zone=oidc_token_query_params:128K timeout=90s; # for query params of token endpoint
keyval $cookie_session_id $id_token zone=oidc_id_tokens; # Exchange cookie for ID token
keyval $cookie_session_id $access_token zone=oidc_access_tokens; # Exchange cookie for access token
keyval $cookie_session_id $refresh_token zone=oidc_refresh_tokens; # Exchange cookie for refresh token
keyval $session_id $new_id_token zone=oidc_id_tokens; # For initial session creation for ID token
keyval $session_id $new_access_token zone=oidc_access_tokens; # For initial session creation for access token
keyval $session_id $new_refresh zone=oidc_refresh_tokens; # For initial session creation for refresh token
keyval $session_id $nonce_hash zone=oidc_nonce_hash; # For NONCE
keyval $session_id $token_query_params zone=oidc_token_query_params; # for query params of token endpoint
keyval $pkce_id $pkce_code_verifier zone=oidc_pkce;
auth_jwt_claim_set $jwt_audience aud; # In case aud is an array
js_import oidc from conf.d/oidc.js;
js_set $token_encoder oidc.tokenEncoder;
js_set $idTokenClaims oidc.idTokenClaims;
js_set $accessTokenClaims oidc.accessTokenClaims;
# vim: syntax=nginx